title: Dual booting OpenBSD Guix System
date: 2021-07-19 02:29
tags: OpenBSD
summary: My crush on OpenBSD
---

EDIT: This [systematic review of OpenBSD security
mitigations](https://www.youtube.com/watch?v=3E9ga-CylWQ&t=563s)
points out some inaccuracies in the following blog.

I will be honest.  I have a little crush on [OpenBSD](https://www.openbsd.org/).
When I first learned about free/open operating systems, I knew that I wanted to
use them.  But in my early days of knowing nothing about computers, my limited
research lead me to the conclusion that I could choose one of the \*BSDs or a
GNU/Linux distribution.

When I was making my decision about what free/open operating system that I
wanted to run, I was intrigued by the code quality that FreeBSD, NetBSD,
DragonFlyBSD, and particularly the insane [masturbating
monkey](https://lkml.org/lkml/2008/7/15/296) behavior that results from the
impressive design goals of [security, robustness, tracking and implement
standards (ANSI, POSIX, parts of X/Open, etc.), and
portability](https://www.openbsd.org/goals.html) of OpenBSD.

OpenBSD is known as being one of, if not the most secure, operating system in
the world.  It has pioneered many security related features, many of which have
been ported to the other \*BSDs
[including](https://en.wikipedia.org/wiki/OpenBSD_security_features):

-   W or X: you can either write or execute to a section of the hard
    drive but not both.
-   secure replacements for strcpy and strcat, namely strlcpy and
    strlcat
-   kernel randomization in that the linker randomly relinks the
    kernel at every reboot or halt (this is awesome)!
-   changes to malloc to use mmap, "which was modified to return
    random memory addresses&#x2026;"
-   privilege separation/revocation and chrooting of common
    applications
-   remove-all of outdated/underused code.  I read somewhere that
    they removed the bluetooth support and are actively removing
    old or outdated syscalls.  OpenBSD has 300 some syscalls and
    the other \*BSDs have 400 to 500, though I cannot currently
    provide a reference for this.

Surprizingly, while openBSD is strives to be secure, security is
not necessarily the central focus, as lead developer and founder
Theo de Raadt [explains](https://www.reddit.com/r/BSD/comments/af1itd/how_openbsd_is_secure_compared_to_other_operating/) (I'm not certain if he actually said this):

> Many people think that is about security. It is not. Largely,
> those standards are about accountability in the face of
> threat. Which really isn't about making systems secure. It's about
> knowing when your system's security breaks down. Not quite the
> same thing. Please count the commercially deployed C, B, or even A
> systems which are actually being used by real people for real
> work, before foaming at the mouth about it all being "so
> great". On the other hand, I think we wil see if some parts of
> that picture actually start to show up in real systems, over
> time. By the way, I am surprised to see you list ACLs, which don't
> really have anything to do with B1 systems.
>
> As to the second issue, I have no idea what a distributed kernel
> is, nor do I see how anything like that would improve security or
> quality of a system.

The OpenBSD developers are also prolific software developers:
[opensmtpd](https://www.opensmtpd.org/),
[httpd](https://man.openbsd.org/httpd.8), [doas](https://man.openbsd.org/doas)
([why doas?](https://flak.tedunangst.com/post/doas)),
[sndio](https://sndio.org/) (a sound server), [mandoc (manual page
generator)](https://man.openbsd.org/mandoc.1), and probably lots of other cool
things.  I currently am using opensmtpd as my
[email](https://gnucode.me/hosting-your-own-email-part-1.html)
[server](https://gnucode.me/hosting-your-own-email-part-2.html), and it's pretty
awesome!

Also, there is some renewed interested in creating an [FSF endorsed
distribution](https://www.gnu.org/distros/free-distros.en.html) from the
[hyperbolaBSD](https://www.hyperbola.info/news/announcing-hyperbolabsd-roadmap/)
[project](https://itsfoss.com/hyperbola-linux-bsd/).  They probably picked
OpenBSD because of it's amazing code quality and great documentation, BUT ALSO
OpenBSD is almost an approved FSF operating system already.  OpenBSD does NOT
include proprietary code in the base install, because this is a massive security
vulnerability.  So basically, I am now dual booting Guix System and OpenBSD, and
I have my eye on HyperbolaBSD.  I hope they are successful!

P.S. The OpenBSD installer was breath-takingly easy and painless!  If you've got
an old-ish Thinkpad lying around, you might want to give it a try.
